antonio nappa, aristide fattori, marco balduzzi, matteo dell'amico, lorenzo cavallaro seventh...
TRANSCRIPT
![Page 1: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/1.jpg)
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo CavallaroSeventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Bonn, Germany, July 2010
TAKE A DEEP BREATH: A STEALTHY, RESILIENT AND COST-EFFECTIVE BOTNET USING SKYPE
![Page 2: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/2.jpg)
2 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 3: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/3.jpg)
3 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 4: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/4.jpg)
4 INTRODUCTION
Botnets are a major plague of the Internet
A plethora of techniques have been proposed - understand botnets’ modus operandi - detect patterns typically exhibited by bot-infected machines
![Page 5: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/5.jpg)
5 INTRODUCTION
Bots authors, are constantly looking for the most appealing features a botnet should have:
- Stealthiness (non-noisy, encrypted and distributed communications)
- resiliency (to nodes shutdown)
- cost-effectiveness (easy to infect/spread to new machines)
![Page 6: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/6.jpg)
6 INTRODUCTION
Skype has a number of ancillary features that make it the ideal platform for a solid communication infrastructure.
It protects the confidentiality of its users by encrypting all their communications
It is fault-tolerant by adopting a de-centralized communication infrastructure
It is firewall- and NAT-agnostic
![Page 7: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/7.jpg)
7 INTRODUCTION
Despite some efforts tailored to understanding Skype’s code and network patterns, such a closed infrastructure remains almost obscure
Skype-generated network traffic is thus extremely difficult to filter and difficult to analyze with common network-based intrusion detection systems
![Page 8: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/8.jpg)
8 INTRODUCTION
The whole Skype infrastructure meets all the features: for a stealth, resilient, and cost-effective botnet
Lots of Skype users can potentially become victims of a powerful skype-based botnet: the year 2009 alone counted for 443 millions of active Skype accounts, with an average number of 42.2 millions of active users per day
![Page 9: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/9.jpg)
9 INTRODUCTION
Parasitic peer-to-peer overlay built on top of another decentralized overlay
![Page 10: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/10.jpg)
10 INTRODUCTION
It is hard to set bots and regular Skype traffic apart
The malicious network has no bottlenecks nor single point of failure
The lack of a hierarchical structure allows to use any controlled node as an entry point for the botmaster
Parasitic overlay network tolerates the loss of bots
Should one or more bots become unavailable
The policy adopted for registering new nodes makes it cost-unattractive to obtain a comprehensive list of all the bots
![Page 11: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/11.jpg)
11 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 12: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/12.jpg)
12 SKYPE OVERVIEW
Skype is a widely used application, which features VoIP and calls to land-line phones, audio and video conferencing, SMS and instant messaging, and more.
It is organized as a hybrid peer-to-peer (P2P) network with central servers, super nodes, and ordinary clients.
![Page 13: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/13.jpg)
13 SKYPE OVERVIEW
Super nodes play an important role in the whole network
Responsible for bootstrapping the network
Act as the point of entrance in the overlay infrastructure, and messages sent by a node are routed through them
![Page 14: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/14.jpg)
14 SKYPE OVERVIEW
Super nodes play an important role in the whole network
Responsible for bootstrapping the network
Act as the point of entrance in the overlay infrastructure, and messages sent by a node are routed through them
![Page 15: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/15.jpg)
15 THE SKYPE API
The Skype API allows developers to write applications using features such as sending chat or SMS messages, starting or redirecting calls, or searching for friends.
Unfortunately, this API mechanism is far from being as secure as the core of Skype is.
![Page 16: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/16.jpg)
16 THE SKYPE API
A weakness of the API is that there is no control over the number of messages that a plugin is allowed to send.
![Page 17: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/17.jpg)
17 THE SKYPE API
Every time a third party application wants to interact with Skype, a check is performed to determine if this software is allowed to access the API.
The mechanism used by Skype to accomplish this control is based on white/blacklisting.
![Page 18: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/18.jpg)
18 THE SKYPE API
We opt for a different strategy: silently waiting for the authorization dialog to appear, and then performing a fake click to authorize the malware without user consent
![Page 19: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/19.jpg)
19 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 20: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/20.jpg)
20SYSTEM DESCRIPTION
Messages exchanged between bots and the master exactly as legitimate messages of the application.
This makes the botnet traffic unrecognizable with respect to the legitimate Skype traffic: parasitic overlay nodes behave as ordinary peers of the underlying “host” overlay network.
![Page 21: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/21.jpg)
21SYSTEM DESCRIPTION
![Page 22: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/22.jpg)
22 BOTNET PROTOCOL
The communication between the bots and the master is protected by using an ad-hoc encryption scheme in addition to the encryption already performed by Skype.
To accurately replicate the behavior of botnets present in the wild, we designed the architecture in order to provide unicast, multicast and broadcast communication between the master and the bots.
![Page 23: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/23.jpg)
23MESSAGE ENCRYPTION
Bots can receive single commands, group commands and global commands by using different encryption mechanisms between the master and the bots
All nodes try to decrypt the messages they receive with the keys they possess.
All encrypted messages are prepended by a random string to avoid that messages containing the same clear-text result in the same ciphertext.
![Page 24: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/24.jpg)
24 MESSAGE PASSING
The message-passing procedure broadcasts every message to all participating peers in the network using a flooding algorithm: when a peer receives a new message, it forwards it to all neighbors.
By doing so, no routing information to reach the botmaster is disclosed
![Page 25: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/25.jpg)
25 MESSAGE PASSING
![Page 26: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/26.jpg)
26BOTNET BOOTSTRAP
When new nodes join the botnet, they bootstrap their connection by generating a node key and by connecting to a set of pre-defined gate nodes (GNs), shipped with the binary, that serve as temporary neighbors for the network bootstrap.
The new node announcement contains its Skype username, the newly-generated node key and, as any communications sent from nodes to the botmaster
The botmaster responds with a list of l nodes that will be, from that moment on, the neighbors of the new node.
![Page 27: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/27.jpg)
27BOOTSTRAP FAIL-OVER
As a fallback measure, the bot issues a Skype search based on a criterion generated from a seed S that is common to all bots.
The master registers one or more Skype users with usernames generated starting from S and sets in their public fields, e.g. the status message, the list of the active GNs that the new bots have to use for their bootstrap phase.
![Page 28: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/28.jpg)
28BOOTSTRAP FAIL-OVER
As the approach relies on dynamic and daily updated external sources, it seems unfeasible, for a defense mechanism, to predict and shut all the soon-to-be-registered users off in a timely, effective, and cost-effective manner.
Moreover, this fallback measure does not expose more information about the parasitic overlay than the normal bootstrap phase.
![Page 29: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/29.jpg)
29 IMPLEMENTATION
The proof-of-concept bot has been entirely developed in Python, exploiting the capabilities of the Skype4Py library.
![Page 30: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/30.jpg)
30 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 31: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/31.jpg)
31NETWORK TRAFFIC
SIMULATION
we measure the effectiveness of the algorithm with two quantities: - coverage, that is the percentage of nodes that are reached by a message sent from a given starting node
- overhead, expressed as the ration between number of messages sent in the whole system and the number of nodes in it.
A perfect algorithm would have a coverage of 100% (all bots are reached) and an overhead of 1 (each peer receives exactly one message).
![Page 32: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/32.jpg)
32NETWORK TRAFFIC
SIMULATION
Start with a completely connected topology of l nodes, and then iteratively add new nodes connecting them with a random subset of l pre-existing ones, until we reach the desired size of n nodes.
For Erdos-Renyi (ER) random graphs, a key value is the number of edges in the network, which in our case–considering the probability that nodes are online – corresponds to the value of , where is the number of online nodes.
nal ann
![Page 33: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/33.jpg)
33NETWORK TRAFFIC
SIMULATION
![Page 34: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/34.jpg)
34NETWORK TRAFFIC
SIMULATION
![Page 35: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/35.jpg)
35NETWORK TRAFFIC
SIMULATION
![Page 36: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/36.jpg)
36 BOT DEPLOYMENT
Simulate the infection by injecting the bot execution code in the start-up scripts of the infected machine’s users.
Deployed our bot on 37 hosts, geographically distributed between France and Italy.
![Page 37: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/37.jpg)
37 BOT DEPLOYMENT
![Page 38: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/38.jpg)
38 BOT DEPLOYMENT
Booted every bot and made the botnet run for about 14 hours.
Used an ad-hoc fuzzer to instruct commands to the bots at random time intervals, registering 1,373 total issued orders.
The average time for the master to obtain an answer from a bot that executed a command ranged from 5.25 to 15.75 seconds
![Page 39: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/39.jpg)
39 BOT DEPLOYMENT
![Page 40: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/40.jpg)
40 BOT DEPLOYMENT
Installed the HotSanic analysis tool on all bots to monitor network, CPU, and memory used by the prototype.
Bandwidth consumption was below 1KB/s even if during the bootstrap phase it was possible to notice some peaks around 6KB/s caused by the messages employed for bootstrapping.
![Page 41: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/41.jpg)
41 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 42: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/42.jpg)
42 SECURITY ANALYSIS
Extremely difficult to obtain information about the network topology by observing the traffic sent and received by bots: all traffic undergoes two levels of encryption (one provided by Skype, the other by our scheme)
![Page 43: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/43.jpg)
43 SECURITY ANALYSIS
Attacker that takes control of an infected machine gains access to the list of neighbors’ Skype usernames and to the messages addressed from the master to that bot.
This data can be used to detect what the botnet, or part of it, is currently up to, but not very much can be said about the overall botnet infrastructure.
![Page 44: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/44.jpg)
44 SECURITY ANALYSIS
If an attacker can successfully reverse-engineer the malware, she is able to discover the hard-coded GNs and to collect the announce sent during bootstrap
With this information, she can perpetrate a replay attack on the botnet.
![Page 45: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/45.jpg)
45 SECURITY ANALYSIS
Since the messages are flooded to the whole network, an attacker can try to overburden the botnet nodes by sending a large number of meaningless messages to the network
![Page 46: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/46.jpg)
46A HOST-BASED SKYPE MALWARE
DETECTOR
While all the network traffic is encrypted, the messages exchanged on the API communication channel established between Skype and a plugin, are completely in clear text
It is therefore possible to analyze the actions performed by a plugin before they are delivered to the Skype core to infer a model that describe the plugin’s behaviors at best.
![Page 47: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/47.jpg)
47A HOST-BASED SKYPE MALWARE
DETECTOR
We propose a behavior-based analysis of the command protocol layer (CPL) of the Skype API, for the purpose of detecting whether an application is performing malicious actions through Skype.
The set of Skype’s API commands is quite small and therefore behavior-based analysis can be very effective when applied to the CPL.
![Page 48: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/48.jpg)
48A HOST-BASED SKYPE MALWARE
DETECTOR
The first component is a Skype plugin of its own, known as proxy, while the second one is WUSSTrace, a Windows user-space system call tracer
![Page 49: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/49.jpg)
49A HOST-BASED SKYPE MALWARE
DETECTOR
The proxy component includes an analysis engine and several models of malicious behaviors that we created observing the API calls issued by existing Skype malware.
By matching the behavior of the attached plugins with the malicious models at our disposal, it is possible to give an preliminary evaluation of the plugin behavior.
![Page 50: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/50.jpg)
50A HOST-BASED SKYPE MALWARE
DETECTOR
Our analysis at the higher CPL level, we avoid all the fine-grained details that other techniques must cope with
The first set of results we obtained shows a high rate of false-positive during analyses performed on a certain temporal window.
Overcome this limitation by appropriately throttling the temporal window size and inserting an API message rate limiting.
![Page 51: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/51.jpg)
51 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 52: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/52.jpg)
52 RELATED WORK
Storm and Waledac are probably the two most famous P2P-based botnets present in the wild.
Although these botnets are hard to track down due to their decentralized infrastructure, researchers have shown how it is possible to infiltrate them, disrupt their communications, and acquire detailed information about the botnets’ modus operandi
![Page 53: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/53.jpg)
53 RELATED WORK
Overbot uses an existing P2P protocol, Kademlia, to provide a stealth command and control channel while guaranteeing the anonymity of the participating nodes and the integrity of the messages exchanged among them.
![Page 54: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/54.jpg)
54 RELATED WORK
In our approach, gate nodes are ordinary bot-infected nodes, and, as such, they perform message routing exactly as any other node
They are just used during the initial bootstrap phase every time a new infected node wants to join the network, but, after that, they do not need to continuously receive communication
![Page 55: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/55.jpg)
55 RELATED WORK
A compromised node in our approach exposes only its symmetric key, which gives the chance to disclose the traffic sent only by that node
![Page 56: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/56.jpg)
56 RELATED WORK
Research in the detection of bots based on the analysis of network events has proceeded by following two main directions
![Page 57: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/57.jpg)
57 RELATED WORK
Vertical correlation- network events and traffic are inspected, looking for typical evidence of bot infections or command and control communications
![Page 58: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/58.jpg)
58 RELATED WORK
Horizontal correlation- network events are correlated to identify cases in which two or more hosts are involved in similar, malicious communication
![Page 59: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/59.jpg)
59 RELATED WORK
The parasitic overlay network presented in this paper has all the features required to thwart the current state-of-the-art botnet detection approaches.
Message encryption hampers the creation of content-based network signatures
Unknown routing strategies make it difficult to track down IP addresses
Skype itself makes the network highly resilient to failure and provide a massive user corpus, which gives the chance to rely on a non-negligible number of bots
![Page 60: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/60.jpg)
60 OUTLINE
Introduction
Skype Overview
System Description
Experiments
Security Analysis
Related Work
Conclusion
![Page 61: Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico, Lorenzo Cavallaro Seventh Conference on Detection of Intrusions and Malware & Vulnerability](https://reader031.vdocument.in/reader031/viewer/2022032604/56649e685503460f94b63bcc/html5/thumbnails/61.jpg)
61 CONCLUSION
Design and implementation of a stealth, resilient, and cost-effective botnet based on Skype
Future works- intend to explore more efficient routing strategies for messages- focus on the improvement of the host-based detection technique we briefly outlined